Too many collisions with -m 9720
#1
Hi,

Using latest cudahashcat, I try to collide some old Office hashes.
Using -m 9710 is okay.
Then I use -m 9720 with the results given by -m 9710.
My issue is that this last cmd give me lot's of collisions, let's say 5 in one hour. Cool, but what if I only want one collision ? Or two ? Can I specify this ?

Thank you.
#2
https://hashcat.net/forum/thread-3665.html

In this thread atom talks about the implementation of the modes 9710 and 9720.
If I understand it right he split the mode 9700 into 9710 and 9720 so that you can use 9710 to get the RC4 key and use another tool to decrypt the document with this key. This is if you only want to access the document.
If you want to get the real password you use 9720 to get all collisions and therefore the actually used password.

Assuming that I understood this right I don't think it's possible to specify the amount of collisions found.
#3
Got it, but... I've launched :

Code:
cudahascat64.exe --outfile-format 5 -m 9700 hash.txt  -a 3 ?b?b?b?b?b -w 3 --potfile-disable  -o res_tmp.txt

Gives me the intermediate hexa hash :
$oldoffice$0*xxxxx:fb96d5b63a

As written by atom "Now that we have the intermediate hash, we can move forward to our second module:"

Code:
cudahascat64.exe -m 9700 res_tmp.txt -a 3 ?a?a?a?a?a?a -w 3 --potfile-disable
Output :
Quote:WARNING: Hashfile 'res_tmp.txt' in line 1 ($oldoffice$0*xxxx:fb96d5b63a): Line-length exception
Parsed Hashes: 1/1 (100.00%)
ERROR: No hashes loaded

I've also tried with --output-format=1 to have "HEX[xx]" but same answer.

Is there a mistake with the given mode (-m 9700) ? When I use -m 9720 it gives me collisions.

Thanks for your help.
#4
To find collisions you should use only -m 9710 and -m 9720.

To recover the password without looking for collisions use -m 9700. using ?b?b?b?b?b with -m 9700 doesn't really make sense, except if the password is really exactly 5 characters long (and non-ascii characters are possible to input and are used within the password).

The output of -m 9710 can be used as input to -m 9720 to find a valid password collision from the recovered rc4 key.
#5
(01-23-2016, 01:05 PM)philsmd Wrote: To find collisions you should use only -m 9710 and -m 9720.
According to https://hashcat.net/forum/thread-3665.html, atom found collisions ("zvDtu!") with -m 9700. That's confusing..

So, -m 9700 is for real password only, and 9710/9720 for collisions.

So my first question was : the mode -m 9720 gives me several -infinite?- collisions, the program don't stops after one collision ; how can I programmatically stop after one found collision ?

Thanks.
#6
If you are referring to the initial post https://hashcat.net/forum/thread-3665-po...l#pid20935 you need to know that this thread was opened before devs even thought about implementing the -m 9710 and -m 9720 kernels (this was the testing phase for only -m 9700 - there was no -m 9710 and -m 9720 yet). You can even see this code he posted:

Code:
if ((digest[0] == swap_workaround (0xf2ab1219)) && ((digest[1] & 0xff) == swap_workaround (0xae000000)))

after atom found the "brute force" result:
$oldoffice$1*d6aabb63363188b9b73a88efb9c9152e*afbbb9254764273f8f4fad9a5d82981f*6f09fd2eafc4ade522b5f2bee0eaf66d:$HEX[f2ab1219ae]

This means, in this particular case you shouldn't rely (only) on the very first post (or at least read the full thread), because there are updates (like this one https://hashcat.net/forum/thread-3665-po...l#pid20945 ), where atom explains the progress and introduces -m 9710 and -m 9720.
Of course it is possible to use -m 9700 to run ?b?b?b?b?b, but the general idea is (again, after -m 9710 and -m 9720 were implemented) that you use -m 9710 and -m 9720 if you want to find collisions.



And to answer your original question: actually the main idea of this collision finding was to collect/see as many collisions as possible.
But I actually have a clever trick for you (but please promise me to not tell it to anyone Wink, you can use this command, to almost immediately stop after finding the first collision for the hash(es):
Code:
cudaHashcat64.exe -m 9720 --outfile-check-timer 1 --outfile-check-dir out\ -o out\collision.txt m09720.txt -a 3 ?b?b?b?b?b
(make sure that the folder out\ exist before running oclHashcat)
the outfile-check timer will mark the hash as cracked and therefore oclHashcat will stop cracking Smile

Again, this is a hack and normally you would not need to use -m 9720 like this (stop after first found).
#7
That's actually a really neat little trick.
#8
Perfect trick ! Thanks philsmd. Will try it asap.